Solved: How to troubleshoot why my Windows universal forwa...

peter_gianusso · ‎07-21-2015

Recently my Windows Universal Forwarder stopped forwarding Windows application event log messages to my indexer. Seems to have stopped for all of the Windows application event logs it was forwarding.

Where is that activity logged or a better way to troubleshoot it? I looked in the splunkd.log files, from when it worked and when it stopped working, and cannot find any messages related to forwarding Windows event logs. There are no log messages from it worked. There are no log messages since it stopped working.

I don't recall doing any upgrades. No security changes were made that I am aware of.

It does not seem to be a WMI problem per say. I can use Splunk to use WMI to get WIndows performance counters such as disk space, CPU, etc

Thanks!

peter_gianusso · ‎07-21-2015

Seems to have something to do with the use of current_only = 1. I removed that and everything started working again.

View solution in original post

peter_gianusso · ‎07-21-2015

Seems to have something to do with the use of current_only = 1. I removed that and everything started working again.

How to troubleshoot why my Windows universal forwarder stopped forwarding Windows application event logs?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...